In this exercise, we’ll investigate how to install FDO and configure it. We’ll be using the “all-in-one” installation method to simplify the setup.
Note
The information below is provided as a reference only, and does not need to be run during the workshop. Your instructor has already set up FDO to speed up the flow of the workshop.
FDO is provided via RPMs, and can be installed with dnf:
sudo dnf -y install fdo-aio
Once finished, the various FDO components and utilities will be available on the system.
After installing FDO, the fdo-admin-tool
can be used to generate base configuration files and keys needed:
fdo-admin-tool aio --directory /etc/fdo/aio --binary-path /usr/libexec/fdo generate-configs-and-keys
Once the command completes, everything will be available under /etc/fdo/aio
.
The two main configuration files we’ll review today are the aio_configuration
and the serviceinfo_api_server.yml
.
First, aio_configuration
defines the overall configuration of the AIO installation:
---
cert_organization: FDO AIO
cert_country: US
listen_ip_address: 0.0.0.0
listen_port_manufacturing_server: 8080
listen_port_owner_onboarding_server: 8081
listen_port_rendezvous_server: 8082
listen_port_serviceinfo_api_server: 8083
separate_manufacturing_and_owner_voucher_store: false
manufacturing_enable_plain_di: false
manufacturing_disable_key_storage_filesystem: false
manufacturing_disable_key_storage_tpm: false
manufacturing_use_secp256r1: false
contact_hostname: ~
contact_addresses:
- IpAddr: 10.15.108.176
- IpAddr: "2620:52:0:f6c:250:56ff:fe9b:c712"
- IpAddr: "fe80::250:56ff:fe9b:c712"
serviceinfo_api_auth_token: S7RLRqSQeAi2c6qJItyHsnq+9no968D7k6tReMbWI2E=
serviceinfo_api_admin_token: sYYWHXSCC5hiE9fpo7/oMA+2EBuP7+LoLWfoU7JkI+4=
These are the defaults generated by the command above. Notice the certification information, listening ports, and addresses used to contact the various services, as well as auth and admin tokens.
Next, the serviceinfo_api_server.yml
:
---
service_info:
initial_user:
username: fdo-init
sshkeys:
- 'example-key-here'
files:
- path: /root/resolv.conf
source_path: /etc/resolv.conf
commands: ~
diskencryption_clevis:
- disk_label: /dev/sda4
binding:
pin: tpm2
config: "{}"
reencrypt: true
additional_serviceinfo: ~
bind: "0.0.0.0:8083"
service_info_auth_token: S7RLRqSQeAi2c6qJItyHsnq+9no968D7k6tReMbWI2E=
admin_auth_token: sYYWHXSCC5hiE9fpo7/oMA+2EBuP7+LoLWfoU7JkI+4=
device_specific_store_driver:
Directory:
path: /etc/fdo/aio/stores/serviceinfo_api_devices
This configuration file defines the steps taken after the device has reached out to the onboarding server. The main components are:
diskencryption_clevis
: Encryption of specific disks or partitions. Here, I’m using the TPM of the device to decrypt the disk.initial_user
: The user to create during the automated setup.files
: What files to copy during the automated setup.commands
: What commands to run as part of the automated setup.These configuration files ultimately define the onboarding process handled by FDO.
Once our configurations are complete, FDO can be started via systemd:
systemctl enable --now fdo-aio
In addition, remember to allow FDO traffic through the firewall:
firewall-cmd --add-port=8080-8083/tcp --permanent
firewall-cmd --reload
Once complete, FDO will be ready to onboard our devices.
Navigation
Previous Exercise | Next Exercise |